Closed Thread
Page 1 of 2 1 2 LastLast
Results 1 to 30 of 51
  1. #1
    Banned stephencolbert's Avatar
    Join Date: Oct 2007
    Age: 57
    Posts: 7
    Rep Power: 0
    stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0)
    stephencolbert is offline

    Major Security Hole Discovered

    I have discovered a major security hole in this site. When you upload files to the blog (image and html files) I am able to upload and host html files with javascript links. This hole is too lame to be called cross site scripting (XSS). It is really just a gaping hole. I can give you a proof of concept if you like.

    I bet you a lifetime supply of supplements that I can get bodybuilding.com account holders to browse to a page hosted on your site and then use ajax methods to modify/delete their body stats without their knowledge.

    Is anyone in charge of this mess? Seems like ever since this site came under new ownership (Liberty Media) there have been a never ending list of problems. Did you guys outsource your programmers to India to save money?

  2. #2
    Registered User mikecart1's Avatar
    Join Date: Jul 2007
    Posts: 3,848
    Rep Power: 21214
    mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000) mikecart1 has much to be proud of. One of the best! (+20000)
    mikecart1 is offline

    Thumbs down

    Originally Posted by stephencolbert View Post
    I have discovered a major security hole in this site. When you upload files to the blog (image and html files) I am able to upload and host html files with javascript links. This hole is too lame to be called cross site scripting (XSS). It is really just a gaping hole. I can give you a proof of concept if you like.

    I bet you a lifetime supply of supplements that I can get bodybuilding.com account holders to browse to a page hosted on your site and then use ajax methods to modify/delete their body stats without their knowledge.

    Is anyone in charge of this mess? Seems like ever since this site came under new ownership (Liberty Media) there have been a never ending list of problems. Did you guys outsource your programmers to India to save money?
    Also, the workout tracking doesn't work. Along with:

    -visitor page views
    -updates to stats don't show up on the forum
    -major lag
    Deadlift 520lbs
    Squat 405lbs
    Bench 260lbs

  3. #3
    ♞♞♞♞♞♞♞ Diab0lic's Avatar
    Join Date: Aug 2004
    Location: New Zealand
    Posts: 10,882
    Rep Power: 106779
    Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000) Diab0lic has a reputation beyond repute. Second best rank possible! (+100000)
    Diab0lic is offline
    Bump?

  4. #4
    I am the eggman smedleybutler's Avatar
    Join Date: Nov 2006
    Posts: 83
    Rep Power: 1798
    smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000)
    smedleybutler is offline
    Dude I thought you were full of crap until I tested it out. This is real. I looked into this some more and found that the blog is vulnerable in the actual posts and pages as well. You can script on the blog posts and pages through the on-events in html elements such as onclick, onmouseover, etc.

    Here is a simple non-malicious test:
    http://blog.bodybuilding.com/smedley...3/30/text-xss/

    This thread has been sitting open for several days and no response from bb.com . I love it.

  5. #5
    Strawberry Fields Sounds Good's Avatar
    Join Date: Mar 2005
    Posts: 10,946
    Rep Power: 3993
    Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500)
    Sounds Good is offline
    intriguing
    "The difference between stupidity and genius is that genius has its limits." Albert Einstein

    The Greatest Thread in the history of The Misc or the internet itself. Hats off to KaptN

    http://forum.bodybuilding.com/showthread.php?t=4039343

  6. #6
    I am the eggman smedleybutler's Avatar
    Join Date: Nov 2006
    Posts: 83
    Rep Power: 1798
    smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000)
    smedleybutler is offline
    Ok Mr. Colbert I found exactly what you are talking about.

    So basically you go to the blog and create a new post. In that section you will see an upload dialog at the bottom of the screen.


    Once you upload the file it is completely accessible and is located within the bodybuilding.com domain. Just copy the link location (as seen "Test" above).

    Since the html file is located within the bodybuilding.com domain you can use ajax to submit/post forms to any page that accepts them on the site without the users knowledge.

    For example you could force the user through the cart url via ajax and then capture their personal information in the response (if they are already logged in that is).
    https://www.bodybuilding.com/cart/ca...&mode=checkout All with a simple mouseover wrapped around a picture of Jamie Eason. There is a million things that you could do.

    For the love of god Bodybuilding.com fix this immediately.

  7. #7
    Strawberry Fields Sounds Good's Avatar
    Join Date: Mar 2005
    Posts: 10,946
    Rep Power: 3993
    Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500)
    Sounds Good is offline
    Originally Posted by smedleybutler View Post
    Ok Mr. Colbert I found exactly what you are talking about.

    So basically you go to the blog and create a new post. In that section you will see an upload dialog at the bottom of the screen.


    Once you upload the file it is completely accessible and is located within the bodybuilding.com domain. Just copy the link location (as seen "Test" above).

    Since the html file is located within the bodybuilding.com domain you can use ajax to submit/post forms to any page that accepts them on the site without the users knowledge.

    For example you could force the user through the cart url via ajax and then capture their personal information in the response (if they are already logged in that is).
    https://www.bodybuilding.com/cart/ca...&mode=checkout All with a simple mouseover wrapped around a picture of Jamie Eason. There is a million things that you could do.

    For the love of god Bodybuilding.com fix this immediately.
    x2, im not ordering anything until this **** is fixed
    "The difference between stupidity and genius is that genius has its limits." Albert Einstein

    The Greatest Thread in the history of The Misc or the internet itself. Hats off to KaptN

    http://forum.bodybuilding.com/showthread.php?t=4039343

  8. #8
    Banned stephencolbert's Avatar
    Join Date: Oct 2007
    Age: 57
    Posts: 7
    Rep Power: 0
    stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0) stephencolbert has no reputation, good or bad yet. (0)
    stephencolbert is offline
    Still no response from anyone at bodybuilding.com. I did you a favor pointing this out. As nasty as this is I expected a response within a couple of hours.

    Call your Indian programmers and get this fixed. I was going to digg this post on http://digg.com just to get your attention but they have blacklisted this site for

    guess what ......

    wait for it ...........................






    being a spam site.

    Now where would they get that idea.

  9. #9
    Carb Depleted outbreak's Avatar
    Join Date: May 2005
    Location: WA, Australia
    Age: 36
    Posts: 1,264
    Rep Power: 290
    outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50) outbreak will become famous soon enough. (+50)
    outbreak is offline
    I cannot believe they haven't replied or done anything about it. Thats just crazy with the amount of credit card numbers being pumped into this site daily.
    I'll get this one, put it on my card
    I get frequent flyer mileage
    And a booklet of upgrades
    So next time I visit the third world
    I won't have to fly second class

    Journal: currently doing westside for skinny bastards. http://forum.bodybuilding.com/showthread.php?t=4009573

  10. #10
    procrastinating gill998's Avatar
    Join Date: Aug 2006
    Location: ON, Canada
    Age: 29
    Posts: 279
    Rep Power: 652
    gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250)
    gill998 is offline
    Originally Posted by smedleybutler View Post
    Dude I thought you were full of crap until I tested it out. This is real. I looked into this some more and found that the blog is vulnerable in the actual posts and pages as well. You can script on the blog posts and pages through the on-events in html elements such as onclick, onmouseover, etc.

    Here is a simple non-malicious test:
    http://blog.bodybuilding.com/smedley...3/30/text-xss/

    This thread has been sitting open for several days and no response from bb.com . I love it.
    Wow, thats impressive. Why hasnt anyone done anything about it?

    Bumped so more people can see this.
    all the misc .com not so elite #38.
    pro hormone forum .com not so elite #932.

  11. #11
    Strawberry Fields Sounds Good's Avatar
    Join Date: Mar 2005
    Posts: 10,946
    Rep Power: 3993
    Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500) Sounds Good is a glorious beacon of knowledge. (+2500)
    Sounds Good is offline
    Originally Posted by gill998 View Post
    Wow, thats impressive. Why hasnt anyone done anything about it?

    Bumped so more people can see this.
    now he's banned. sweet!
    "The difference between stupidity and genius is that genius has its limits." Albert Einstein

    The Greatest Thread in the history of The Misc or the internet itself. Hats off to KaptN

    http://forum.bodybuilding.com/showthread.php?t=4039343

  12. #12
    I am the eggman smedleybutler's Avatar
    Join Date: Nov 2006
    Posts: 83
    Rep Power: 1798
    smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000)
    smedleybutler is offline
    No Good Deed Goes Unpunished.

  13. #13
    Registered User damnglass's Avatar
    Join Date: Apr 2007
    Location: oakville, ontario, Canada
    Posts: 925
    Rep Power: 258
    damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50) damnglass will become famous soon enough. (+50)
    damnglass is offline
    Originally Posted by smedleybutler View Post
    No Good Deed Goes Unpunished.
    yeah,not like he could have used pms to notify people who can notify the mods,spreading even on a forum rarely used is still ****ing dumb.sucks he didnt do it the right way,smart to figure that out,once again common sence<intelligence

  14. #14
    Registered User skippy's Avatar
    Join Date: Sep 2002
    Posts: 5,544
    Rep Power: 70152
    skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000)
    skippy is offline
    Holy Crap! I tried it myself.

    http://blog.bodybuilding.com/skippy/2008/03/31/5414472/

    Website Security 101: Prevent XSS!

    This is just plain ridiculous! A few years ago a hacker exploited one of the sub forums that had html enabled (I think html is disabled on all the forums now).

    He posted some javascript to steal and log the viewer's cookies. Once a moderator viewed the post the damage was done.

    The hacker set his own cookies to match the cookies of the moderator and presto! he had just hijacked the moderator's account.

    He went around creating threads and stickied them, then posted in the Moderator Forum (which is visible and accessible only to moderators/admins).

    It was weird! He had complete access to the site - the same the the actual moderator did.

    He would have had even more access had an admin viewed the post and he hijacked an admin's account.

    Talk about a security hole!
    THE PITSBURGH STEELERS WERE THE BEST TEAM IN THE AFC BUT THE DENVER BRONCOS HAVE THE BEST LEFT HANDED QUARTERBACK.

    Reps owed: Mitch1313
    Negs owed: aboriginalLiftr (trolling mind=nuked thread: http://forum.bodybuilding.com/showthread.php?t=140649661)

  15. #15
    I am the eggman smedleybutler's Avatar
    Join Date: Nov 2006
    Posts: 83
    Rep Power: 1798
    smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000)
    smedleybutler is offline
    Originally Posted by damnglass View Post
    yeah,not like he could have used pms to notify people who can notify the mods,spreading even on a forum rarely used is still ****ing dumb.sucks he didnt do it the right way,smart to figure that out,once again common sence<intelligence
    You spelled sense wrong. Sorry dude I couldn't help myself

  16. #16
    Registered User struck's Avatar
    Join Date: Nov 2006
    Age: 31
    Posts: 407
    Rep Power: 159
    struck has no reputation, good or bad yet. (0) struck has no reputation, good or bad yet. (0) struck has no reputation, good or bad yet. (0) struck has no reputation, good or bad yet. (0) struck has no reputation, good or bad yet. (0) struck has no reputation, good or bad yet. (0) struck has no reputation, good or bad yet. (0) struck has no reputation, good or bad yet. (0) struck has no reputation, good or bad yet. (0)
    struck is offline
    Who allows unfiltered and unsanitized HTML in anything that goes to front-end. It's 2008, comeon now!

  17. #17
    procrastinating gill998's Avatar
    Join Date: Aug 2006
    Location: ON, Canada
    Age: 29
    Posts: 279
    Rep Power: 652
    gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250) gill998 has a spectacular aura about. (+250)
    gill998 is offline
    Originally Posted by Holler Back View Post
    now he's banned. sweet!
    I think it was for the fake avi.
    all the misc .com not so elite #38.
    pro hormone forum .com not so elite #932.

  18. #18
    MODySpaceAdmin BodySpaceAdmin's Avatar
    Join Date: Aug 2006
    Location: Idaho, United States
    Posts: 4,019
    Rep Power: 1084928
    BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz
    BodySpaceAdmin is offline
    Originally Posted by struck View Post
    Who allows unfiltered and unsanitized HTML in anything that goes to front-end. It's 2008, comeon now!
    LOL, the guy who allowed it no longer works here... Anyway, should be plugged within a few hours, guys.
    Want to close your account? Please contact our Customer Service department (anytime 24/7!) - and they can assist you with that:

    https://www.bodybuilding.com/help?bodyspace

  19. #19
    I am the eggman smedleybutler's Avatar
    Join Date: Nov 2006
    Posts: 83
    Rep Power: 1798
    smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000)
    smedleybutler is offline
    Due to the nature of cross site scripting there is no way to tell how many accounts were compromised. Doesn't that mean you assume that all accounts were compromised.

    Here is a white paper on xss and its impact on business.

    http://www.virtualforge.de/whitepape...ing_impact.pdf

    I believe the phrase "compliance violation" comes into play here.

    When and how will all the users be contacted? Should I be looking for a letter in the mail?

  20. #20
    MODySpaceAdmin BodySpaceAdmin's Avatar
    Join Date: Aug 2006
    Location: Idaho, United States
    Posts: 4,019
    Rep Power: 1084928
    BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz BodySpaceAdmin has the mod powerz
    BodySpaceAdmin is offline
    Originally Posted by BodySpaceAdmin View Post
    LOL, the guy who allowed it no longer works here... Anyway, should be plugged within a few hours, guys.
    Hole is plugged now. Thanks to everyone (especially "stephencolbert") to bringing this to our attention!
    Want to close your account? Please contact our Customer Service department (anytime 24/7!) - and they can assist you with that:

    https://www.bodybuilding.com/help?bodyspace

  21. #21
    Big Balla smackshosh's Avatar
    Join Date: Jul 2006
    Posts: 820
    Rep Power: 790
    smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500) smackshosh is a jewel in the rough. (+500)
    smackshosh is offline
    gjdm, i was getting worried there for a minute. maybe you should hire somone to analyze security flaws make sure this doesnt happen again?
    Misc Vigilante. Allegiance only to myself.
    Owe to: CLP1 x 2; Heartless (spread) | Negs: ChefPete

    Owed reps by:
    BackThen; Leeroy Jenkins; AquaDouche; sibrek; masterjb (h4te no show)
    Alex B. (Kansas vs UNC)
    YeahImaBeast; Beast2Be; giggedyyy; Ominus; BillyDeanM
    (Memphis vs Kansas)

  22. #22
    Registered User skippy's Avatar
    Join Date: Sep 2002
    Posts: 5,544
    Rep Power: 70152
    skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000)
    skippy is offline
    Originally Posted by BodySpaceAdmin View Post
    Hole is plugged now. Thanks to everyone (especially "stephencolbert") to bringing this to our attention!
    All joking aside, cross site scripting is no laughing matter.

    I wonder how many accounts were compromised? There is no way of knowing -- just like with identity theft the victim is the last to find out.

    The blog went live, what, a year and a half ago? So that security hole has been there all this time and it is only NOW that it got fixed?

    Are you guys going to conduct a security audit to find out what other areas of Bodybuilding.com are vulnerable?

    Are you going to alert the user base of this security breach? I personally have changed my password and would strongly suggest all members do the same.
    THE PITSBURGH STEELERS WERE THE BEST TEAM IN THE AFC BUT THE DENVER BRONCOS HAVE THE BEST LEFT HANDED QUARTERBACK.

    Reps owed: Mitch1313
    Negs owed: aboriginalLiftr (trolling mind=nuked thread: http://forum.bodybuilding.com/showthread.php?t=140649661)

  23. #23
    I am the eggman smedleybutler's Avatar
    Join Date: Nov 2006
    Posts: 83
    Rep Power: 1798
    smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000)
    smedleybutler is offline
    I think Pee-Wee Herman said it best.

    "It's like you're unraveling a big cable-knit sweater that someone keeps knitting and knitting and knitting and knitting and knitting and knitting..."



  24. #24
    I am the eggman smedleybutler's Avatar
    Join Date: Nov 2006
    Posts: 83
    Rep Power: 1798
    smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000) smedleybutler is just really nice. (+1000)
    smedleybutler is offline
    Originally Posted by BodySpaceAdmin View Post
    Hole is plugged now. Thanks to everyone (especially "stephencolbert") to bringing this to our attention!
    Oh Really!

    I think StephenColbert should be unbanned so he can show us where the rest of the holes are.

    That is if he is willing to come back.

  25. #25
    Registered User skippy's Avatar
    Join Date: Sep 2002
    Posts: 5,544
    Rep Power: 70152
    skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000) skippy has much to be proud of. One of the best! (+20000)
    skippy is offline
    Here is a thread with some of the fallout when a hacker used cross-site-scripting techniques to hijack some Bodybuilding.com accounts.

    This was July 2006.

    IntensityX hacking...

    Originally Posted by JackDamian View Post
    Rofl, I had almost forgotten about you, Intensity.

    I already apologized to Sawastea for having to use his account as the main example. I owe you a BIG apology since I had completely forgotten about your account; and you could have been banned for good.

    More then anything though, I'm disappointed. Sawastea seems very angry twords me. As does everyone else. Do you know why they disabled html here? Do you know why they knew that was the MAIN problem? Because I showed them and then told them.

    You all are stuck on some raged fixation that I'm a hacker, and I was hacking into your accounts. 50% of that is actually true.

    I hacked the accounts only to set an example of how easy it really is to gain access to a staff member's account. True, I could have emailed the admin and told him, but lets look at the fact of the situation. The admin, understandably, will get tons of emails a day. He will attend to those sent by users of urgent importance.

    Not only that, but I found the vulnerability, so of course I wanted to check it out. The only harm I've caused is a few spam posts, and a thread about it in the mod section. And the infringement on your privacy? If you keep insulting my charity, I might just detest you enough to do something about it. Please don't insult me for helping the forum you enjoy.

    But again, I apologize. I was going to use my account, and then catch a staff's account, and go from there. But I needed an account with posts, so a staff member had reason to look. When that didn't work too much, I spammed, knowing a staff member would come clean it up. Again, I apologize, but I urge you to understand the example I was setting.

    With much love to the BB forums and they're safety,
    Jack of ConsoleCodes.net


    Edit:
    To all whom are considering changing your password, go for it. I took control of Intensity's account because it was the first person to be infected. The same goes for Sawastea too; he was the first staff member to become infected. All my logs have been cleared and all information of anyone whos infected is gone. But if your still weary, which is fine, just change your password. No biggie.
    THE PITSBURGH STEELERS WERE THE BEST TEAM IN THE AFC BUT THE DENVER BRONCOS HAVE THE BEST LEFT HANDED QUARTERBACK.

    Reps owed: Mitch1313
    Negs owed: aboriginalLiftr (trolling mind=nuked thread: http://forum.bodybuilding.com/showthread.php?t=140649661)

  26. #26
    U admirin' Aussies? CTB's Avatar
    Join Date: Oct 2006
    Location: United States
    Age: 37
    Posts: 3,004
    Rep Power: 2746
    CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500) CTB is a glorious beacon of knowledge. (+2500)
    CTB is offline
    I really think this thread should be brought to more peoples attention, shouldnt something be stickied in each of the forums to get people to change their passwords or something?
    www.bigunitbarbell.com

  27. #27
    Banned thickmasss's Avatar
    Join Date: Apr 2007
    Location: Australia
    Posts: 5,410
    Rep Power: 0
    thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000) thickmasss is just really nice. (+1000)
    thickmasss is offline
    OP banned? lol ..

  28. #28
    Registered User Smokin Horn's Avatar
    Join Date: Jan 2005
    Posts: 5,080
    Rep Power: 1903
    Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000) Smokin Horn is just really nice. (+1000)
    Smokin Horn is offline
    interesting

  29. #29
    Registered Abuser falconXR's Avatar
    Join Date: Jun 2006
    Location: Victoria, AND Queensland, Australia
    Posts: 5,699
    Rep Power: 2655
    falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000) falconXR is just really nice. (+1000)
    falconXR is offline
    Wow strong nerds n ****...
    I rep back on the first date...

    "Quitters never win, winners never quit, but those who never win AND never quit are idiots."

  30. #30
    Registered User SCOTCHTAPE's Avatar
    Join Date: Jun 2007
    Age: 44
    Posts: 40
    Rep Power: 0
    SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0) SCOTCHTAPE has no reputation, good or bad yet. (0)
    SCOTCHTAPE is offline
    OP banned? This looks like an inside job. Misc detectives.....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts